Threat Research

Passive DNS Pivoting – Uncovering APT Infrastructure Through Historical Records and Subdomain Analysis

Securonix

This analysis expands on Microsoft’s ACTINIUM threat actor report by using passive DNS to map domain patterns and pivot to updated infrastructure. It demonstrates a practical, low-cost workflow using Validin and CyberChef to identify new ACTINIUM domains and validate them against the Microsoft findings. #ACTINIUM #Microsoft #PassiveDNS #Validin #CyberChef

Keypoints

  • The analysis expands on Microsoft’s ACTINIUM threat actor report from 2022 using passive DNS to identify domain patterns and new infrastructure.
  • It highlights how IP history, registration dates, and subdomain wordlists can signal ACTINIUM infrastructure.
  • A bulk search via Validin reveals ~20,402 indicators across 124 domains, illustrating the data volume involved.
  • CyberChef is used to sort and deduplicate results, revealing a commonly reused IP (139.180.174.234) across 49 occurrences.
  • Pivoting on the resolved IP, usage dates (around 2022-07-27) and .ru domains narrow the search to likely ACTINIUM-related domains.
  • Comparison shows newly identified domains not in the Microsoft report (e.g., torfasta.ru, vilitord.ru), with ~159 unique .ru domains and 122 additional candidates via set difference.
  • The post demonstrates a repeatable, low-cost workflow (Validin, CyberChef) for students and analysts to reproduce the intelligence with free tooling.

MITRE Techniques

  • [T1583] Acquire Infrastructure – The article demonstrates identifying infrastructure reused across domains and using it as pivot points to discover new or unreported domains. “The goal here is to identify infrastructure that was most re-used across the reported domains, and to use these as pivot points to identify new or unreported domains.” “We can take this most common IP 139.180.174[.]234 and search for it in the bulk export.”

Indicators of Compromise

  • [Domain] Domains associated with ACTINIUM infrastructure (initial and newly identified) – acetica[.]online, akowaika[.]ru, torfasta[.]ru, vilitord[.]ru, hersopa[.]ru
  • [IP] Pivot/IP used for pivoting – 139.180.174[.]234

Read more: https://www.embeeresearch.io/uncovering-apt-infrastructure-with-passive-dns-pivoting/